About Virtual Private Networking

A virtual private network (VPN), in the broadest sense, is a network route, referred to as a tunnel, between computer networks, or individual computers, across a public network. The public network, in most cases, is the Internet. Typically, a VPN replaces a leased line or other circuit which is used to link networks together over some geographic distance.

In a similar way to how a VPN can replace leased line circuits used to route networks together, a VPN can also replace Remote Access Server (RAS) phone or ISDN lines. These types of connections are usually referred to as roadwarriors.

There are several technologies which implement VPNs. The most commonly deployed VPN protocol is called IPSec (IP Security), and is a well established and open Internet standard.

VPNs are mostly used to link multiple branch office networks together, site-to-site VPNs, or to connect mobile and home users to their office network.

The network route between a site-to-site or roadwarrior VPN is provided by a VPN tunnel. Tunnels can be formed between two VPN gateways. All data traversing the tunnel is encrypted, thus making the tunnel and its content unintelligible and therefore private to the outside world.

Usually referred to as PSK, this is a simplistic authentication method based on a password challenge.

To use the Pre-Shared Key (PSK) method, connecting VPN gateways are pre-configured with a shared password that only they know. When initiating a VPN connection, each gateway requests the other’s password. If the password received by each gateway matches the password stored by each gateway, both gateways know that the other must be genuine. Hence, each gateway is authentic and a secure, trusted VPN tunnel can be established.

The simplicity of PSK is both its strength and its weakness. While PSK tunnels are quick to set up, there are human and technological reasons that make this method unsuitable for larger organizations. Password protection is easily circumvented as passwords are frequently written down, spoken aloud or shared amongst administrator colleagues. Some VPN configurations will also require multiple tunnels to use the same password – highly undesirable if your organization intends to create multiple roadwarrior VPN connections.

PSK authentication is best suited when a single site-to-site or roadwarrior VPN capability is required. While it is possible to create large VPN networks based entirely on PSK authentication, such a scheme is likely to prove unmanageable in the long run and liable to misuse.

An industry strength and internationally recognized authentication method, using a system of digital certificates, as published by the ITU-T and ISO standardization bodies.

In this model, each VPN gateway is given a digital certificate that it can present to prove its identity, much like a traveler can present his or her passport. Digital certificates are created and issued by a trusted entity called a Certificate Authority (CA), just like a government is entrusted to provide its citizens with passports. In the world of digital certificates, a Certificate Authority can be called upon to validate the authenticity of a certificate, in the same way that a government can be asked to validate a citizen's passport.

About Username and Password Authentication

In addition to using X509, all users of L2TP roadwarrior connections must enter a valid username and password, as specified when the L2TP tunnel definition is created.

This ensures that both the user and the VPN gateway (the L2TP client) are authenticated.

Alternatively, digital certificates can be leased from companies like Verisign or Thawte and then imported, or they can be created by a separate Certificate Authority. The use of a local Smoothwall Certificate Authority is recommended as a more convenient and equally secure approach. For more information, see Creating a Certificate Authority .

It is usual for a single Certificate Authority to provide certificates for an entire network of peer systems, but there are alternative schemes that use multiple CAs which is discussed later.

The Smoothwall supports three different VPN protocols for creating roadwarrior connections:



L2TP – L2TP — L2TP-L2TP connections are extremely easy to configure for roadwarriors using Microsoft operating systems. There are fewer configuration parameters to consider when creating a tunnel specification. However, all L2TP roadwarriors must connect to the same internal network.



IPSec – IPSec — IPSec-IPSec roadwarrior connections use the same technology that the Smoothwall uses to create site-to-site VPNs. It is recommended for roadwarriors using Apple Mac, Linux or other non-Microsoft operating systems. IPSec roadwarriors must have IPSec client software installed and configured to connect to the Smoothwall. IPSec roadwarriors can be configured to connect to any internal network.



OpenVPN SSL — OpenVPN SSL uses light-weight clients which can be easily configured and distributed. Any user account is able to authenticate to the directory service configured, using their Smoothwall credentials.

When a roadwarrior connects to the Smoothwall, it is given an IP address on a specified internal network. When connected, the roadwarrior client machine will, to all intents and purposes, be on the configured internal network. You can route to other subnets, including other VPN-connected ones. Other machines on the same internal network can see the client, just as if it was plugged into the network directly.

Each roadwarrior must use a unique, unused IP address. Typically, you would choose a group of IP addresses outside of either the DHCP range, or statically assigned machines such as servers.

When configuring a tunnel, the client IP settings is used to assign the roadwarrior's IP address on the local network. This IP address must match the network that the roadwarrior connects too (globally specified for L2TP connections, individually specified for each IPSec roadwarrior.

Each user requires their own tunnel, so create as many tunnels as there are roadwarriors.